Cryptographic Access Control in Electronic Health Record Systems: A Security Implication Pasupathy Vimalachandran1, Hua Wang 2, Yanchun Zhang 2, Guangping Zhuo3 and Hongbo Kuang4 1,
Centre for Applied Informatics, College of Engineering and Science, Victoria University, Melbourne, Australia
[email protected] 2 {hua.wang,yanchun.zhang}@vu.edu.au
3
Department of Computer Science, Taiyuan Normal University, China
[email protected] 4
Bistone Information Technology Ltd,Ahjie Pty Ltd.
[email protected]
Abstract. An electronic health record (EHR) system is designed to allow individuals and their health care providers to access their key health information online. These systems are considered more efficient, less error-prone and higher availability over traditional paper based systems. However, privacy and security concerns are arguably the major barriers in adoption of these systems globally including Australia. Individuals are unwilling to accept EHR systems unless they ensure their shared key health information is securely stored, a proper access control mechanism is used and any unauthorised disclosure is prevented. In this paper, we propose a cryptographic access control mechanism to protect the health information in EHR systems. We also developed a new encryption framework for the cryptographic access control to maintain a high level of protection. We systematically review the traditional cryptography methods to identify the weaknesses in order to overcome those weaknesses in our new method.
Keywords: EMR concerns, EHR, PCEHR security
1.
Introduction
Healthcare has evolved to a point where patients have more than one healthcare provider. This has resulted in the growing need to create an integrated infrastructure for the collection of diverse medical data for healthcare professionals, where the adoption of
Vimalachandran et al.
standardised Electronic Health Record (EHR) has become imminent [1]. An EHR is a summary of health events usually drawn from several electronic medical records and may consist of the elements that are eventually shared in a national EHR [2, 3]. Iakovidis [4] has defined an EHR as “digitally stored health care information about an individual’s lifetime with purpose of supporting continuity of care, education and research, and ensuring confidentiality at all times”. An online EHR also enables patients to manage and contribute to their own medical notes in a centralised way which greatly facilitates the storage, access and sharing of personal health data. It is clear that storing medical records digitally on the cloud offers great promise for increasing the efficiency of the healthcare system. The EHR systems allow the obtainment of a considerable amount of health information that improves the quality and efficiency of medical care [5]. Therefore it is explicable that accessibility is the key for any EHR system and health care providers should be able to access patient health information when and where needed it. However, on the other hand, it is important to protect and ensure securely stored patient confidential health information from unauthorised access. Among many barriers to the implementation of EHR systems, privacy and security concerns of patients’ health information are arguably most dominating. Medical records stored in a central server and exchanged over the Internet are subject to theft [6, 26, 28]. A record in EHR system includes highly confidential personal information of a patient: allergy, current medication and medical history. Followings are a few real world examples of unauthorised access where an EHR can lead to a negative response.
1.1.
an employer accesses an employee (or future employee) mental health illness an insurance company accesses a client medical status to increase insurance premium or refuse a life insurance a health care provider (other than usual) accesses unnecessary health information to discriminate patients.
Personally Controlled Electronic Health Record (PCEHR)
In the meantime, a national EHR was introduced to Australia in 2012 and the Government has invested multi millions of dollars to build key components of the Personally Controlled Electronic Health Record (PCEHR) to improve health outcomes and reduce costs for health in the country [7, 27]. However, the take-up by individuals (patients or consumer) and health care providers of the PCEHR system is inadequate [8, 9]. The implementation of an EHR system faces many challenges which ultimately impede its wider adoption. A privacy and confidentiality concern is one of the top ones. Addressing these concerns to win individuals mindset is crucial. Once patients’ personal health data are stored in the cloud or local server with PCEHR, it is not quite clear who else can access it other than the patient’s usual doctor. For example, with the current system, in a healthcare provider organisation, all other healthcare providers working for the organisation can access a patient’s clinical information. There are also instances where administration staff may access patients’ clinical information for improving the business
(e.g. targeting chronic disease high risk or pap smear patients who are due for a reminder) [9, 10].
1.2
Our contribution
In the rest of the paper, we review the previous works in Section 2. In Section 3, we propose our new method to encrypt and decrypt using a key to preserve cryptographic access control. This process includes step by step development, substitution table and block diagrams. The designing of the implementation is explained in Section 4. Section 5 describes the development of the system. A computer programme language is used to develop the model. The paper concludes and leaves future development suggestions in Section 6.
2.
Related work
There are several access control strategies for EHR that have been developed in the past [11]. The most of the works on privacy protection in healthcare systems still concentrate on the framework design or solution proposals without technical realisation [12,13]. However the technical details of the proposed access control model are important to clearly understand the novelty of the concept. In this perspective, a cryptographic access control method becomes very prominent for the model. Lee and Lee [14] proposed a cryptographic key management solution for privacy and security of patients’ EHR. Some recent works on attribute-based encryption [15,16] enables encryption-based access control; however these works more discuss policies. The cryptographic storage file system (CSFS) is introduced by Blaze [17], in which files are encrypted before being stored on an untrusted file server. Then Fu [18] presented a CSFS system which allows for sharing of access rights. Some recent works on attribute-based encryption [15,16] enables encryption-based access control; however these works more discuss policies. The cryptographic storage file system (CSFS) is introduced by Blaze [17], in which files are encrypted before being stored on an untrusted file server. Then Fu [18] presented a CSFS system which allows for sharing of access rights. Tan et al [19] proposed a technical realisation of the role-based approach for a limited health care setting where body sensor network is developed. This work mainly applies for an emergency care scenario and privacy concerns and access control restrictions are discussed. The scheme has failed to address storing and retrieving healthcare records in cloud environment and to identify the right record for a query by the health care providers. This shortcoming will compromise patients’ privacy violation requirements. There are also many other access control models have been proposed to secure information stored in EHR systems [22 - 25]. These models mainly discuss delegation
Vimalachandran et al.
and revocation methods [20]. Some other models talk about authentication in body sensor networks [21].
3.
Proposed Model
The proposed framework is named ‘HighSec’. The following matrix table (Table 1) has been designed to work with the HighSec.
A
B
C
D
E
F
G
39
40
41
42
1
2
3
H
I
J
K
L
M
N
4
5
6
7
8
9
10
O
P
Q
R
S
T
U
11
12
13
14
15
16
17
V
W
X
Y
Z
0
1
18
19
20
21
22
23
24
2
3
4
5
6
7
8
25
26
27
28
29
30
31
9
_
?
@
,
.
&
32
33
34
35
36
37
38
Table 1: HighSec Substitution Secret Fixed (HSSF) table
3.1
Encryption process
The HighSec algorithm is explained below in seven steps with appropriate examples. To make the HighSec algorithm stronger, the following improved cipher diagram matrix has been created and used. The length of the key is 7.
T
A
B
L
E
@
7
F
G
H
I
J
K
M
N
O
P
Q
R
S
U
V
W
X
Y
Z
0
1
2
3
4
5
6
8
9
_
?
,
.
&
C
D
Table 2: HighSec Matrix With the message TL LW UN GF 3_ 34 UI 45, the following replacements have been occurred on the above digraph: The pair TL is in the same row, so TL TL The pair LW forms a rectangle, so LW AY The pair UN is in the same row, so UNUN The pair GF is in the same row, so GFGF The pair 3_ forms a rectangle, so 3_ 2? The pair 34 is in a same row, so 34 34 The pair UI forms a rectangle, soUI QM The pair 45 is in a same row, so 45 45 The final Ciphertext isTL AY UN GF 2? 34 QM 45. So the Ciphertext for TLAYUNGF2?34QM45
the
Plaintext
“Do
Not
Use
100PC”
would
be
Vimalachandran et al.
Key
Plaintext message
Make five-character blocks
Make five-character blocks
Fill gap by ‘X’ to make equal to key
Fill gap letters from 1 onwards to make equal to message
Matrix table Convert into numbers using matrix table
Convert into numbers using matrix table
Add two numbers modulo 42 Matrix table Convert into character using matrix table
Fill gap by ‘X’ to make two-character block
Key
Key length
Make two-character blocks (digraph)
Apply 7*6 matrix
Final cipher text
Figure 2 :HighSec Block Diagram for Encryption
3.2
Decryption process Final cipher text Key length Make two-character block (digraph) Key Key Apply 7*6 matrix table for conversion Make five-character blocks
Remove “_” from alternate block
Convert into numbers using matrix table
Matrix table Convert into numbers using matrix table
Subtract each number from key Matrix table Convert into characters using matrix table
Remove ‘X’ from gaps
Make five-character groups
Plaintext message
Figure 3: HighSec Block Diagram for Decryption
Vimalachandran et al.
4.
Development of the proposed model
In the process of development of the proposed model, a computer programming language has been used. The development environment also can be utilised to evaluate the proposed model. The following computer programming codes perform the encryption of the cryptographic access control model. Sub Main() cn.Open "Provider=Microsoft.Jet .OLEDB.4.0;Data Source=" + App.Path + "\userdb.mdb;Persist Security Info=False" firstlogin = True ' key = "AIM" j = 1 For i = 69 To 69 + 21 arrTab(j) = Chr(i) j = j + 1 Next For i = 0 To 9 arrTab(j) = CStr(i) j = j + 1 Next arrTab(j) = "_" j = j + 1 arrTab(j) = "?" j = j + 1 arrTab(j) = "@" j = j + 1 arrTab(j) = "," j = j + 1 arrTab(j) = "." j = j + 1 arrTab(j) = "&" j = j + 1 For i = 65 To 65 + 3 arrTab(j) = Chr(i) j = j + 1 Next ' frmmenu.Show ' frmuser.Show 'frmcustomer.Show Form1.Show End Sub Public Function encryptdata(plaintext As String, key As String) As String Dim lenkey, lenplain Dim cipher As String, newkey As String lenkey = Len(key) 'lenplain = Len(plaintext)
k = 1 newkey = key For i = Len(key) + 1 To Len(plaintext) newkey = newkey & arrTab(k) k = k + 1 Next lenplain = Len(plaintext) For i = 1 To Len(plaintext) For j = 1 To 42 plainchar = Mid(plaintext, i, 1) If plainchar = arrTab(j) Then foundchar = True plainno = j Exit For End If Next If foundchar Then foundchar = False For j = 1 To 42 plainchar = Mid(newkey, i, 1) If plainchar = arrTab(j) Then keyno = j foundchar = True Exit For End If Next End If If foundchar Then NO = (plainno + keyno) Mod 43 cipher = cipher & arrTab(NO) Else cipher = "" Exit For End If Next encryptdata = cipher End Function
Code 1: Encryption
The codes have been written for decryption, positioning matrix table, replacing characters, creating new table, encryption of new table and decryption of new table as well.
5.
Basic Evaluation of the proposed model
The following two security options must be satisfied by the model and the Table 3 below illustrates the evaluation process. (i) Data are encrypted before save into database (ii) Data are decrypted when access required
1
2
Evaluation / Review Are data encrypted before saving into database? Are data decrypted when access required?
Definition Yes. Using the HighSec new algorithm the encryption is done before writing into databases. Yes. Using the HighSec new algorithm the decryption is done before retrieve the date from databases.
Reference Section 3
Section 3
Table 3: Evaluation
6.
Conclusion and future suggestions
In this paper, we present a new cryptographic access control model to access EHR systems. The designing and development of the model is also provided and the technical details are discussed. The whole development process is explained using a computer programming language code for all functions of the proposed model including encryption and decryption process. Using this complete working environment, the proposed model can be evaluated easily. In the future development, the proposed model can be considered to extend the algorithm to differentiate lower case and upper case letters and support to other special symbols as well.
References [1] Vimalachandran, P., Wang, H., Zhang, Y. (2015), “Securing Electronic Medical Record and Electronic Health Record Systems through an Improved Access Control”,In: 4th International Health Information Science Conference (HIS), Melbourne, LNCS, vol 9085. pp 17-30. [2] Pearce, C. (2009),“Electronic medical records - where to from here?”,Professional Practice, Melbourne. [3] McInnes, D.K.,Slatman, D.C., Kidd , M.R. (2011), “General practitioners' use of computers for prescribing and electronic health records: results from a national survey”, Australia. http://www.clinfowiki.org/wii/
Vimalachandran et al.
index.php/General_practitioners%27_use_of_computers_for_prescribing_and_electr onic_health_records:_results_fro m_a_ national_survey.(accessed March12, 2016). [4] Iakovidis, I. (1998): “Towards Personal Health Record: Current situation, obstacles and trends inimplementation of Electronic Healthcare Records in Europe”. International Journal of Medical Informatics vol. 52 no. 128, pp. 105 –117. [5] Shekelle, P.; Morton, S. C. and E. B. Keeler (2006): "Costs and Benefits of Health Information Technology". Evidence Reports/Technology Assessments, No. 132. [6] M. C. Rash, “Privacy concerns hinder electronic medical records,” The Business Journal of the Greater Triad Area, Apr. 2005. [7] Department of Health (2013),“Get your personal eHealth record now”,Canberra: Department of Healthwww.ehealth.gov.au (accessed March 10, 2015). [8] Glance D. (2013),“Is the government’s missed health record target meaningful?”,The Conversation,Melbourne. [9] Dunlevy S. (2015),“Taxpayers have spent more than $1 billion on a digital health record that doctors won’t use”,News.Com. Melbourne. [10] Royle, R. (2013), “Review of thePersonally Controlled Electronic Health Record, Department of Health, Canberra”, pp 13-15. [11] Bosch, M., et al. . (2009).Review article: Effectiveness of patient care teams and the role of clinical expertiseand coordination: A literature review. Med. Care Res. and Rev. [12] P. Ray and J. Wimalasiri, “The need for technical solutions for maintaining the privacy of EHR,” in Proc. 28th IEEE EMBS Annual International Conference, pp. 4686–4689, Sept. 2006. [13] M. C. Mont, P. Bramhall, and K. Harrison, “A flexible role-based secure messaging service: Exploiting IBE technology for privacy in health care,” in Proc. 14th International Workshop on Database and Expert SystemsApplications (DEXA’03), 2003. [14] W.-B. Lee and C.-D.Lee, “A cryptographic key management solution for HIPAA privacy/security regulations,” IEEE Trans. Information Technology in Biomedicine, Jan. 2008. [15] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based ncryption for _ne-grained access control of encrypted data.In ACM Conference on Computer and Communications Security, pages 89-98, 2006. [16] Amit Sahai and Brent Waters.Fuzzy identity-based encryption.In EUROCRYPT, pages 457- 473, 2005. [17] Matt Blaze. A cryptographic _le system for UNIX.In ACM Conference on Computer and Communications Security, pages158 - 165, 1993. [18] Kevin Fu. Group sharing and random access in cryptographic storage file systems. Master's thesis, Massachusetts Institute of Technology, June 1999. [19] C. C. Tan, H. Wang, S. Zhong, and Q. Li, “Body sensor network security: an identity-based cryptography approach,” The ACM Conference on WirelessNetwork Security (WiSec’08), Apr. 2008.
[20] L. Zhang, G. J. Ahn, and B. T. Chu, “A rule-based framework for role based delegation and revocation,” ACM Transactions on Information and System Security, vol. 6, no. 3, pp. 404–441, 2003. [21] S.-D. Bao, Y.-T.Zhang, and L.-F. Shen, “Physiological signal based entity authentication for body area sensor networks and mobile healthcare systems” in Proc. 28th IEEE EMBS Annual International Conference, pp.58–65, Sept. 2005. [22] H Wang, J Cao, Y Zhang (2005). “A flexible payment scheme and its role-based access control”, IEEE Transactions on knowledge and Data Engineering, 17(3), 425-436. [23] X Sun, M Li, H Wang (2011). “A family of enhanced (L, α)-diversity models for privacy preserving data publishing”. Future Generation Computer Systems, 27(3), 348-356. [24] H Wang, Y Zhang, J Cao (2009). “Effective collaboration with information sharing in virtual universities”, IEEE Transactions on Knowledge and Data Engineering, 21 (6), 840-853. [25] ME Kabir, H Wang, E Bertino (2011). “A conditional purpose-based access control model with dynamic roles” Expert Systems with Applications 38 (3), 1482-1489. [26] Xiaoxun Sun, et al. (2011). Injecting purpose and trust into data anonymization. Computers & Security 30 (5), 332-345. [27] ME Kabir, et al. (2011). Efficient systematic clustering method for k-anonymization, Acta Informatica 48 (1), 51-66, 2011. [28] Xiaoxun Sun, et al. (2012) Satisfying privacy requirements before data anonymization. The Computer Journal 55 (4), 422-437.